Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US National Security Officials Brief Telecom Executives

National Security Officials Share Intelligence on a Cyberespionage Campaign
US National Security Officials Brief Telecom Executives
Chinese hackers are likely still lurking inside U.S. telecom infrastructure. (Image: Shutterstock)

The White House hosted a meeting Friday with executives of the U.S. telecommunications sector to share intelligence pertaining to China's "significant cyberespionage campaign targeting the sector."

The FBI has said the attackers breached multiple telecoms in pursuit of U.S. national security intelligence, including targeting officials from both presidential campaigns prior to the Nov. 5 elections.

The White House said the meetings, led by National Security Adviser Jake Sullivan and Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, focused on improving national cybersecurity defenses and resilience capabilities.

The FBI and the Cybersecurity and Infrastructure Security Agency have been providing technical assistance to victims and sharing intelligence with the industry. Attackers stole call records, compromised multiple individuals' communications and also intercepted information being gathered through government-mandated backdoors in the networks used to comply with court-ordered monitoring requests. Experts said some of that activity might have been Chinese intelligence agencies attempting to track U.S. efforts to track their operatives (see: FBI Updates on Vast Chinese Hack on Telecom Networks).

The chair of the Senate's intelligence committee, Sen. Mark Warner, D-Va., characterized the intrusions as being the "worst telecom hack in our nation's history," telling CNN that the FBI has so far alerted fewer than 150 people, largely based in the Washington area. The hackers compromised telco's communications with an unknown number of other individuals. He said some telecommunications firms are still struggling to eject all of the attackers from their networks.

The attacks are attributed to a group that Microsoft codenamed Salt Typhoon, allegedly tied to China's foreign intelligence service, the Ministry of State Security. The MSS has long targeted U.S. systems for intelligence-gathering purposes.

Beijing regularly denies perpetrating hack attacks against foreign nations.

Known Victims

Publicly named targets of the Beijing-backed cyberespionage campaign include AT&T, Verizon and Lumen.

Recently, T-Mobile said its networks were also targeted and breached, but told Information Security Media Group that it believes attackers didn't access or steal any sensitive data, including any data pertaining to customers.

Investigators said attackers also penetrated telecommunications in allied nations, which have yet to be publicly named. The full extent of the intrusion reportedly remains unknown.

Concerns have also been growing over Chinese espionage and also prepositioning destructive malware inside Western critical infrastructure that China could trigger if it invades Taiwan, to slow military response.

FBI Director Christopher Wray has warned that "China's hacking program is larger than that of every other major nation combined."

The pace of China's cyber operations against the U.S. has led the White House to order its offensive and defense cyber unit - U.S. Cyber Command - to more actively target such activity.

Cyber Command has increased the pace of operations that are "laser-focused on degrading and disrupting PRC cyber operations worldwide," said Morgan Adamski, executive director of Cyber Command, in a speech Friday.

Despite the U.S. government detecting and publicly attributing these attacks, Beijing-backed attackers "will not and are not stopping because it is part of their overarching national objectives, and cyber has become one of their most powerful levers of national power," she told attendees at the CYBERWARCON security conference in Arlington, Virginia (see: US Cyber Force Surges Global Operations Amid Rising Threats).

Reflecting the seriousness of the Chinese targeting of U.S. telecommunications firms, a classified, closed-door briefing for all senators has been scheduled for Dec. 4, a Senate aide told CNN.

Attackers' Goal: Long-Term Access

While none of the intelligence being shared by the FBI with telecoms has been detailed publicly, investigators have reportedly been probing exploits of known vulnerabilities in Cisco and other types of edge devices.

These aren't the first cyberespionage operations tied to Salt Typhoon. Security firm Trend Micro, which tracks the group as Earth Estries, said the group "has been conducting prolonged attacks" since at least 2020 with a focus on telecommunications firms, as well as governments and military agencies. Targeted countries include not only the U.S. but also Brazil, India, South Africa, Taiwan and others across the Asia-Pacific and Middle East regions.

In a Monday research report, the security researchers said that in recent years, the well-organized APT group has used a variety of tactics to gain access to targets including through trusted suppliers. This includes "aggressively targeting the public-facing servers of victims" by testing a range of known vulnerabilities. These have included targeting Ivanti Connect Secure's VPN using a chain of exploits - CVE-2023-46805 and CVE-2024-21887; a Fortinet's FortiClient Endpoint Management Server SQL injection vulnerability tracked as CVE-2023-48788; a code injection vulnerability allowing remote code execution in the user portal and WebAdmin console of Sophos Firewall, tracked as CVE-2022-3236; and the chained set of four vulnerabilities in Microsoft Exchange servers known as ProxyLogon (see: Active Chinese Cyberespionage Campaign Rifling Email Servers).

After gaining remote access to a victim's networks, the espionage-focused APT group "uses living-off-the-land binaries for lateral movement within networks to deploy malware and conduct long-term espionage," Trend Micro said. Living off the land refers to attackers using legitimate tools to make their intrusions more difficult to detect.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.